CyberWire Daily - Who worked through SolarWinds? An APT “likely Russian in origin,” says the US. Rattling backdoors, rifling cryptowallets, and asking victims if they’re ensured. No bail for Mr. Assange.
Episode Date: January 6, 2021The US Cyber Unified Coordination Group says the Solorigate APT is “likely Russian in origin.” Threat actors are scanning for systems potentially vulnerable to exploitation through a Zyxel backdoo...r. ElectroRAT targets crypto wallets. Babuk Locker is called the first new ransomware strain of 2021. The New York Stock Exchange re-reconsiders delisting three Chinese telcos. Joe Carrigan from Johns Hopkins joins us with the latest clever exploits from Ben Gurion University. Our guest is Jens Bothe from OTRS Group the importance of the US establishing standardized data privacy regulations. And Julain Assange is denied bail. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/3 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The U.S. Cyber Unified Coordination Group says the Soloragate APT is likely Russian in origin.
Threat actors are scanning for systems potentially vulnerable to exploitation through a Zyzel backdoor.
Electrorat targets crypto wallets.
Babook Locker is called the first new ransomware strain of 2021.
The New York Stock Exchange re-reconsiders delisting three Chinese telcos.
Joe Kerrigan from Johns Hopkins joins us with the latest clever exploits from Ben-Gurion University.
Our guest is Jens Botta from OTRS Group on the importance of the U.S. establishing standardized data privacy regulations.
And Julian Assange is denied bail.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, January 6, 2021.
Yesterday afternoon, the Cyber Unified Coordination Group,
the task force established by the U.S. President and his National Security Council to investigate and remediate the Solorogate incident,
released a statement on its conclusions so far.
It read, in part,
This work indicates that an advanced persistent threat actor, likely Russian in origin, is responsible for most or all of the recently discovered ongoing cyber compromises of both government and non-governmental networks.
At this time, we believe this was and continues to be an intelligence-gathering effort.
We are taking all necessary steps to understand the full scope of
this campaign and respond accordingly." This isn't the first attribution of the campaign to
Russia by U.S. officials. Both Secretary of State Pompeo and Attorney General Barr said as much
during media availabilities over the past few weeks. But it is a more formal acknowledgment
of Russian responsibility than
were those earlier statements. The UCG is composed of elements drawn from CISA, the FBI, NSA, and the
Office of the Director of National Intelligence, all of which are notably more reticent in offering
attribution than either senior officials or the private sector. Roles and missions within the UCG task force are worth
reviewing. The FBI has the lead for threat response and is working on identifying victims,
collecting evidence, analyzing the evidence to determine further attribution, and sharing
results with the government and private sector partners to inform operations, the intelligence
picture, and network defense.
CISA, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency,
has the lead for asset response, which involves sharing information quickly with government and
private sector partners. ODNI, the Office of the Director of National Intelligence,
coordinates the intelligence community's collection and analysis of information relevant to the incident,
providing situational awareness for key stakeholders.
NSA is serving in a support role
with a focus on assessing the scale and scope of the incident
and on providing technical mitigation measures.
Bleeping Computer reports that attackers are working
to exploit vulnerable ZYZL systems.
Researchers at security firm Graynoise have found three distinct scans in progress for SSH devices.
The scanners then try to log in using ZYZL backdoor credentials.
One of the IP addresses doing the scanning has been using Cobalt Strike's SSH client,
addresses doing the scanning has been using Cobalt Strike's SSH client, which suggests to researchers that the threat actor may be using this technique to evade detection by threat
intelligence shops. Bitcoin has reached new highs in the new year. The cryptocurrency was trading
this morning at $34,241.20, and cybercriminals are predictably following the money. Security firm Intezer
is describing a criminal campaign it's calling ElectroRat. It targets credentials for crypto
wallets by inducing its victims to download trojanized apps the gang offers via social media
and altcoin user forums. The malware is cross-platform, with Windows, MacOS, and Linux variants in
circulation. Its capabilities include keylogging, screenshots, exfiltrating data, downloading files,
and executing commands on the victim's console. 2021's first new strain of ransomware,
Babook Locker, is out in the wild, according to Bleeping Computer.
It's assessed as amateurish, but equipped with effective encryption.
The ransom demands have been running from $60,000 to $85,000.
The hood's negotiating messages are interesting in two respects.
They ask the victim if they're covered by cyber insurance
and whether they're working with a ransomware recovery company.
This would seem to suggest that the criminals are looking to insurance companies covered by cyber insurance and whether they're working with a ransomware recovery company.
This would seem to suggest that the criminals are looking to insurance companies and security firms as effectively middlemen, presumably thinking that those third parties might be counted on
to persuade the victim to pay up. Bloomberg says that after a call from U.S. Treasury Secretary
Mnuchin, the New York Stock Exchange is reconsidering its reconsideration
and is again thinking it may delist China Mobile,
China Telecom, and China Unicom.
Executive Order 13959,
addressing the threat from securities investments
that finance communist Chinese military companies,
effectively prohibits U.S. citizens
from investing in the
Chinese telecommunications firms. The executive order takes effect on January 11th. The order's
provisions are complex, and Treasury has published a set of facts in the hope of bringing some
clarity to the matter. On the one hand, quote, any transaction in publicly traded securities or any
securities that are a derivative of or are designed to provide investment exposure to such securities of any communist Chinese military company is prohibited regardless of such security share of the underlying index fund, ETF, or derivative thereof, end quote.
On the other hand, the executive order, quote, does not require U.S. persons, including U.S. funds and related market intermediaries and participants to divest their holdings in publicly traded securities and securities that are derivative of or are designed to provide investment exposure to such securities of the communist Chinese military companies identified in the annex to EO 13959 by January 11, 2021.
So, apparently, no new investment, but no requirement to divest immediately either.
Stock prices of the companies on the list continue to ride the roller coaster.
WikiLeaks founder Julian Assange will remain in jail, CNN reports.
A judge denied bail at a hearing this morning.
Mr. Assange will continue to be incarcerated in Her Majesty's Prison, Belmarsh.
Judge Vanessa Baritzer, who Monday denied a U.S. request that Mr. Assange be extradited to face 18 federal charges related to WikiLeaks, hacking, and espionage,
was the jurist who denied him bail.
Reuters says that Mr. Assange is being held pending the outcome of an appeal
the U.S. Department of Justice filed Monday. The judge said this morning,
I am satisfied that there are substantial grounds for believing that if Mr. Assange
is released today, he would fail to surrender to court to face the appeal proceedings. As far as Mr. Assange is concerned, this case has not yet been won. End quote. Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
With 2020 upon us and a new administration heading into the White House,
it's an opportunity to consider the possibilities of new data privacy regulations coming out of Washington.
Jens Botte is Director of Global Consulting with OTRS, a cyber defense and security management firm in Frankfurt, Germany.
Having been through the implementation of GDPR,
he shares insights on how it could inform our approach to data privacy stateside.
So in Germany itself, we had a very good data protection law
already before the GDPR was introduced and made to a German law.
So there is not much change in Germany,
but a lot of change for sure in the rest of Europe,
in the rest of the world, because of the GDPR.
And have we seen the sorts of fines that people were expecting?
How has that come to pass?
Yes, there were some very high fines, especially to huge companies.
So Google was one of the first to get a fine based on the GDPR in Europe,
but also a lot of other companies because they got data loss or whatever,
did not tell the people what they're doing with the data or were sharing it with the wrong people.
So we've seen already some fines in different areas.
protection as a main business, try to convince people and to check or companies, convince the companies and try to check with them what they can make better.
So we also see that at the first step, especially in the small and medium-sized business, the
government tries to avoid fines at the first and trying to work with these companies
to make it better and to help them to fulfill all the needs of the regulation.
And do you suppose that GDPR is really getting the result
that folks had hoped for?
That the companies who are collecting data,
has there been the meaningful change in their behavior
that was the desired outcome here?
Mostly, yes.
So we see that companies think about,
do we really need to collect this data?
What do we need to tell the people?
So you really saw a huge spread of web pages or on web pages of slide-ins and pop-ups to ask for consents or just to inform people that data is collected.
Sometimes it seems a little bit more to attention of all the users
which are not deeply trained in how the internet is working and so on,
especially that data is collected every time they visit pages,
look at things, and this data can be used for a lot of different things
and they really have to say yes or no and know what happens to their data. That's Jens Botte from OTRS.
Cyber threats are evolving every second and staying ahead is more than just a challenge. Thank you. designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute,
also my co-host on the Hacking Humans podcast.
Hey, Joe, good to have you back.
Hi, Dave.
You know, when I see these stories come by
that have to do with interesting ways to get information off of computers in ways that people
haven't thought about before, there's one organization I always think of. You know who
that is, right, Joe? Yes, I do. It's Ben-Gurion University. Yes. And they're at it again.
University. Yes. And they're at it again. So this is an article from ZDNet. What's going on here,
Joe? So this is the work of Mordecai Gurry. And he has, I guess, probably with some of his students here, they have come up with a way to exfiltrate data using RF. But a couple of interesting things
about this. First, they can actually emit the RF in the 2.4 gigahertz bandwidth,
which is where Wi-Fi listens and talks.
All right.
So that means they can use other equipment or equipment that is already equipped,
that already exists to intercept this signal.
Right.
There are already tons of cheap pieces of equipment you can buy
that are tuned to listen in this frequency.
Right.
Let me give you some background on how this works.
And this is how any of these RF side channels work.
There's a wire somewhere that is the proper length.
And if you put a signal on that wire and then take that signal off, if you oscillate a signal on that wire, you effectively create an RF signal, right?
You're making radio.
Exactly.
This is exactly how the radio in your car works because you're doing the same thing at the radio station.
They're turning off and turning on a signal very quickly to modulate that signal so that your car can receive it.
quickly to modulate that signal so that your car can receive it. And these guys have found out that they have, that there's a wire somewhere that they can write ones and zeros to fast enough to
actually emit or with a certain rate, really doesn't have to be fast enough, but they're doing
it so that that emits effectively a Wi-Fi signal that lets them move data from an air gap system.
So this system doesn't have any network cards in it.
It doesn't have a Wi-Fi card.
It doesn't have an Ethernet card or anything.
But they can actually communicate from that air gap system
to a device a couple of meters away
at a rate of about 100 bits per second.
So it's kind of an academic exercise.
You're really not going to get a lot of information off
at 100 bits a second.
Maybe you can get some hashes off if the system is on a network that,
let's say the system is connected to a network that's air-gapped
and you want to impersonate somebody,
you can probably use something to get hashes off
if you can get malicious software onto that computer,
which is another part of the challenge.
Just be very patient.
Right, right. And it wouldn't take long at 100 bits a second to get a hash off.
It might take a couple minutes. But it's really interesting work. And these guys have found
all kinds of ways, all kinds of side channels in the RF spectrum to get data off of these computers.
And in this case, they're using the RAM in the system,
somehow getting the RAM
to resonate
at the right frequency
when they're generating.
Exactly, by doing writes,
by timing the writes
to the memory
at the right time.
A couple interesting things
about this
is it can be done
by a process in user space.
You don't need to have
root access to the computer
to do it.
Anybody can do it.
You can even do it
from a VM within the computer.
Hmm.
Wow. It's just, I mean, it from a VM within the computer. Hmm. Wow.
It's just, I mean, it's so clever, right?
It is.
It's just so clever.
And time and time again,
I mean, hats off to the folks over at Ben Gurion.
I mean, this is, they're just,
this is one of their specialities, right?
Is just coming up, the creativity here,
that time and time again,
they're coming up with these things.
Right.
I'm always fascinated by side channels.
I think that they're really interesting.
We have a professor, Lanier Watkins,
at the Information Security Institute
who also does work with side channels.
And I can listen to him talk about it all day.
It's just something that is really interesting to me.
I don't know why. It's one of those things that catches my fancy. Well, if you'll permit me a trip down
memory lane, this reminds me of something from the early days of 8-bit computing and
the old TRS-80 Model 1, which was RadioShack's first home computer, one of the original important
computers in 8-bit computer history.
So back then, computers had no sound, right?
Yes.
The TRS-80 Model 1 had no sound.
But someone had come up with a clever piece of software.
It was called Dancing Demon.
I remember Dancing Demon.
And the Dancing Demon, you could put in different dance steps that you wanted the demon to do
in this little, very low-resolution, blocky little demon where the curtain would raise,
the demon would come out,
and he'd do a little shuffle,
a little soft shoe, and he'd tap dance.
Well, the computer had no sound,
but the programmers figured out
that one of the things about the Model 1
is that it was leaking all kinds of RF energy.
In fact, RadioShack had to stop making the computer,
and they made the Model 3 because the FCC came and said,
listen, you guys got to stop making this.
You're violating Part 15 here.
Right, it's just out of hand.
But what you could do is
you would put a,
you'd hold it,
you'd take an AM radio,
put it next to the computer
and the programmers had figured out
that they could manipulate the RF coming out
of the machine to make the sound of the little demon tap dancing with somehow they'd figured out
how to time certain activities within the computer to make, you know, practically a spark gap
generator, you know, on the AM radio to make the sound of the little demon dancing.
And that's how you had sound back in the original 8-bit computer days.
So not that far off from what they're doing here,
however many, 40 years later, right?
It's the exact same technology,
except now they're able to control a wire on a,
it's not really a wire, it's like a trace on a circuit board
to get it to emit something
that you can exfiltrate
digital information with.
Yeah.
Just spun up
their own little
software-defined radio,
right?
That's right.
Yeah.
All right.
Well,
it's an interesting story
for sure.
And again,
a hat tip to the folks
at Ben Gurion.
It's just,
they blow me away with it.
Just the cleverness here is amazing. Joe Kerrigan, thanks for joining us. It's just, they blow me away with it. Just the cleverness here
is amazing. Joe Kerrigan,
thanks for joining us. It's my pleasure, Dave.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Avoid the noid.
Listen for us on your Alexa smart speaker too.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of Data Tribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Faziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Fulecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Ivan, Rick Howard, Peter Kilpie,
and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.